Beginning from May 25th, 2018, companies which operate in the European Union have to adhere to the GDPR. Coursedot has a special quick and easy guide to provide the basics of GDPR. This is the fifth part of the series and we get into the new Rights for Individuals. The previous part is right here.
Now, let’s get right down to the details about
The New Rights for Individuals
As noted earlier, the GDPR introduces several new rights for individuals. They cover various important details about how individuals’ data is collected and processed. Now let’s take a look at them and what they mean for your business.
Rights of data subjects ie individuals
Definition: Controllers have a legal obligation to give effect to the rights of data subjects.
What it means: This simply makes official what was already known – companies have to comply with the rights of individuals.
Right to basic information
Definition: Data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
What it means: Simple: do not forget to add those contact details on your site and on the consent form or page.
Right of access
Definition: This is going to be a long one. Data subjects have the right to obtain the following:
• confirmation of whether, and where, the controller is processing their personal data;
• information about the purposes of the processing;
• information about the categories of data being processed;
• information about the categories of recipients with whom the data may be shared;
• information about the period for which the data will be stored (or the criteria used to determine that period);
• information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing;
• information about the existence of the right to complain to the DPA;
• where the data were not collected from the data subject, information as to the source of the data; and
• information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
• Additionally, data subjects may request a copy of the personal data being processed.
What it means: The GDPR brings a big expansion of the mandatory categories which fall under the Right of access. The GDPR also notes that the Right of access should not have a negative effect over an organization’s intellectual properties or trade secrets. However, the expanded scope of information which organizations have to provide upon request will cause more burdens on the internal processes.
Right of rectification
Definition: Controllers must ensure that inaccurate or incomplete data are erased or rectified. Data subjects have the right to rectification of inaccurate personal data.
What it means: This has always been the case. So, always be open to requests of individuals to correct their data and do it in a timely matter. Have the needed internal processes in place to do so quickly and efficiently.
Right to erasure (the “right to be forgotten”)
Definition: The criteria which fall under the right to be forgotten are:
• the data are no longer needed for their original purpose (and no new lawful purpose exists);
• the lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists;
• the data subject exercises the Right to object, and the controller has no overriding grounds for continuing the processing;
• the data have been processed unlawfully; or
• erasure is necessary for compliance with EU law or the national law of the relevant Member State
What it means: The GDPR further broadens the Right to be forgotten. This means companies have more types of data and more legal reasons why they have to “forget” about someone if that person requests.
The right to restrict processing
Definition: Another long one: Data subjects have the right to restrict the processing of personal data. This means the controller may get to keep the data, but have limited use over it if:
• the accuracy of the data is contested (valid until the data is corrected);
• the processing is unlawful and the data subject requests restriction (as opposed to exercising the right to erasure);
• the controller no longer needs the data for their original purpose, but the data are still required by the controller to establish, exercise or defend legal rights; or
• if verification of overriding grounds is pending, in the context of an erasure request.
What it means: The GDPR adds more conditions in which data processing has to be restricted upon the request of an individual. Companies must have the capability to honor these requests.
Right of data portability
Definition: Individuals have a right to:
• receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use;
• transfer their personal data from one controller to another;
• store their personal data for further personal use on a private device; and
• have their personal data transmitted directly between controllers without hindrance.
What it means: Companies have to check if they can be affected by these rules. If they are, they have to create the needed processes in order to complete these tasks upon request. They also have to ensure interoperability of the data and allow individuals to transmit this data to another controller directly.
Right to object to processing
Definition: Individuals have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either public interest or legitimate interests of the controller.
What it means: Under the GDPR, companies are required to demonstrate they have compelling grounds to continue the processing of data upon such a request. Until they can provide these arguments, they have to cease processing upon request.
Right to object to processing for the purposes of direct marketing
Definition: Data subjects have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.
What it means: This is virtually the same as the 1995 Directive.
Right to object to processing for scientific, historical or statistical purposes
Definition: Where personal data are processed for scientific and historical research purposes or statistical purposes, the data subject has the right to object, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
What it means: This gives more clarity to the previous definitions from the Directive. It’s not expected to have big changes for most organizations and the business.
Right to not be evaluated on the basis of automated processing
Definition: Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them (including profiling). Such processing is permitted where:
• it is necessary for entering into or performing a contract with the data subject provided that appropriate safeguards are in place;
• it is authorised by law; or
• the data subject has explicitly consented and appropriate safeguards are in place.
What it means: Most of the original definitions remain the same. Further clarification is added that the consent of an individual is valid for evaluation on the basis of automated profiling.
Right to be informed
Definition: Companies must inform individuals for any gathering of data before it is actually collected. Consumers have to opt-in for their data to be gathered and consent must be explicitly given rather than automatically presumed.
What it means: You have to make it visible for the individual what data your company will collect, why it needs it and then ask the individual for permission before any persona data is gathered.
Right to be notified
Definition: If a data breach has occurred and compromises an individual’s personal data, the individual has to be informed by the company within 72 hours of the company first becoming aware of the breach.
What it means: Do NOT forget to inform affected users in a timely matter and do NOT hope you can keep this under the rug.
Those are the new Rights for Individuals which GDPR either introduces or updates. Your company or organization has to be able to comply and honor these rules in a timely manner upon the request of an individual. So, be sure to set up the appropriate internal processes to be able to do so.
In part 6 we will take a look at the GDPR fines.